What does the Ukraine war mean for third-party risk management?

31 March 2022

Third-party risk management (TPRM) is essential following Russia’s war on Ukraine and should be prioritised by CPOs to ensure the smooth running of supply chains. 

Procurement managers should view volatility within supply chains as the new norm, David Loseby director for Aquitaine Strategy Limited, told Supply Management.  

“When you look at the extensive amount of trade – including imports and exports – between Ukraine, Russia and China as an example, you see that the trade is literally billions of dollars per annum. 

“Therefore a renewed and more focused approach on third-party risk management is not only advisable, but essential.”

He said the war had added to existing supply chain pressures but procurement should seize on opportunities to reconfigure risk management.  

“We must recognise that the Covid-10 virus is still with us, Brexit still has a number of phases to go through before all the full unwinding and resetting of EU-UK trade is complete, and the Ukraine-Russia conflict is currently ongoing. Volatility, uncertainty, complexity and ambiguity is set to become the norm,” said Loseby. 

“The profession needs to see this as such and seize the opportunities that this may well present. In short it should be in the top three on CPOs’ to-do list. They should recognise this as dynamic and not static action that must be underpinned by good data and systems to provide effective decision support across the entire value chain of an organisation.”

Speaking at eWorld, Loseby recommended:

 1. Identify how risk averse you are

Are you risk averse, or are you welcome to taking risks? Answering this is vital for forming the foundations of your risk strategy. 

He said: “Deciding your risk threshold is critically important and will set the strategy for you going forward.”

Establishing whether you are “cautious” or “adventurous” when it comes to risk will establish the kind of business policies you implement, and the appropriate risk management measures you will need to put in place.

2. A tailored approach 

Loseby said businesses cannot take a “one-size-fits-all” approach to risk management.

He said: “Don't simply rely on what another business might be doing, or what a colleague may be doing. You have to think about, 'What does this mean for my organisation?'

“You need to think about the different regulations that might apply to different sectors. There will be different things that will actually affect the way in which you construct supply chain and risk management.”

3. Data and cyber security 

“Most cyber attacks and malware attacks are not a direct attack on the company, but usually through a third party. So typically, this is where weakness within your supply chain sits,” Loseby said. 

Spreadsheets, notebooks and manual notes are “no longer a viable option” to track data sets, however the move to digitalising supply chains can create vulnerabilities.

He said structuring data should be part of a long-term strategic plan. “You need to ask yourself, 'When I put a software platform in, what general interfaces has it got with other datasets on the data systems that I might need to defend? What is the risk of duplicating or eradicating as a consequence of taking on different systems and different pieces of data?' Thinking about these things is really coherent and is part of a longer term strategy.” 

Companies must also establish “clear metrics that drive insight and effective decision making”.

4. Integrating TPRM as part of your ESG strategy 

“What you begin to realise is that third party risk management is inextricably linked to everything and anything we talk about in terms of ESG,” Loseby argued.   

“The fact you can turn around and say, 'We have no business in Russia, we have no business with any regimes, we don't have child labour within our supply chains.'  Reputation sets you aside from the rest of the competition.” 

 ☛ Want to stay up to date with the news? Sign up to our daily bulletin.

Enfield (Locality), London (Greater)
£27,430 - £34,809 per annum plus excellent benefits
Lee Valley Regional Park Authority
Winsford, Cheshire
£29,793 to £36,369
Cheshire Constabulary
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates